Because {cache_block}.cid doesn't include the base_url in the cache key, it's troublesome for sites that are accessible from multiple domains or protocols. (For example if your site is accessible via both HTTP and HTTPS).

It's also a potential security concern: in some configurations attackers can poison the block cache by forging the Host header. Images / links can be replaced with those of an attacker's choosing. (Note: this was discussed within the security team before deciding to fix publicly.)

Steps to reproduce:

(This assumes you have not explicitly set $base_url in settings.php, and that your Drupal site is the default virtual host.)

  • Create a block with this PHP code: 
    <img src="<?php print file_create_url('sites/default/files/test.png'); ?>" />

    (This is just a demo - a more realistic scenario would be a View that displays an Image Field)

  • Enable block caching, set this test block to BLOCK_CACHE_GLOBAL
  • Run this curl command: curl -H'Host: evil.com' example.com
  • Visit example.com in your browser; you'll see the cached version of the block with evil.com as the image source. In addition to replacing the image, evil.com now has access to the victim's browsing activity via the referrer logs.

Note - the patch is for D6. Also tagging as infrastructure, this may help with #952578: Fix any references to non https resources, fix redirects to avoid double encoding url parameters

CommentFileSizeAuthor
cache_block_base_url-D6.patch1.06 KBgrendzy
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

aspilicious’s picture

aspilicious CreditAttribution: aspilicious commented
Version: 7.x-dev » 6.x-dev
Status: Patch (to be ported) » Needs review

Why is this 7.X than? if its a d6 patch o_O. If this needs to be fixed in 7.X or 8.X move it to 8.x with status needs work.

grendzy’s picture

grendzy CreditAttribution: grendzy commented
Version: 6.x-dev » 8.x-dev
Status: Needs review » Needs work

afaik, it's still in D8.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented
Issue summary: View changes
Status: Needs work » Postponed (maintainer needs more info)

I cannot reproduce this in D8. I didn't test with the php module, but instead added a view footer to the front page (using the [site-url] token. When I grab the front page from a different domain
(eg, evil.com), it uses that as the site url, but when I revisit the normal domain, that url doesn't persist.

grendzy’s picture

grendzy CreditAttribution: grendzy at Metal Toad commented
Version: 8.2.x-dev » 7.x-dev
Status: Postponed (maintainer needs more info) » Needs work

Cool. In any case, I think this is effectively mitigated in D8 by $settings['trusted_host_patterns'].

Still an issue in D7:
https://api.drupal.org/api/drupal/modules%21block%21block.module/functio...